SOC Proposal: Perfect Paper Passwords and possible Multifactor API

2008 Google Summer of Code Application: Steven King

Drupal.org Username:

verbal

Overview
I would like to work on a multi-factor authentication system for Drupal. I want to implement the Perfect-Paper-Passwords multi-factor authentication system created by Steve Gibson (www.grc.com/ppp) as a Drupal module. In creating this system I will also evaluate the feasibility of creating a multi-factor API so other multi-factor login systems will be easier to implement in the future.

Project Specifics
I looked at implementing the Perfect Paper Passwords multi-factor authentication system in Drupal. The Perfect Paper Passwords authentication system allows administrators to generate a paper pass-card like the one below which has many passwords on it. Additionally, each user has their own unique pass-card.

When the user attempts to login to a system using the PPP (Perfect Paper Passwords) system they are asked for their normal password and a password from a specific row and column of the paper pass-card they have in their possession. After the user uses a pass-code from a specific row/column, it will never be used again. This makes the system strong against key loggers and even advanced screen capture systems.
The problems with implementing this system in Drupal are two-fold. I am not able to figure out how to easily hook the PPP system into the user login process. Secondly, I will need to write a system for managing what users would require the PPP system for logins. I realize that if I want to implement any other multi-factor system in Drupal, I will need to rewrite the user authentication management page as well as the mechanism for hooking into the login system.
I currently use a VeriSign Security Key like the one pictured below to login to PayPal and eBay.

When I login, eBay and PayPal know, within a margin of error, what the next number will be when I press the button to generate it. I type in the numbers displayed on the security token as a second form of authentication to login. I know this service is slowly becoming available for companies to use as a second form of authentication. Companies like VeriSign are developing multi-factor security systems for the business and commercial sectors. Companies may soon require these systems to be used. If they are using Drupal sites, then we need a method to allow these systems to be easily integrated with the Drupal login process.
Depending on my experience writing the PPP system, I will evaluate the need to write a multi-factor API. If required, the API module will have the appropriate administration pages to allow administrators to set which users will use which forms of multi-factor authentication. The API will also provide hooks into a mechanism for inserting the correct steps for the multi-factor authentication system into the Drupal login process. If an full API is not needed I will instead write documentation explaining the easiest method of implementing a multi-factor authentication system in Drupal.

Project Milestones
- Implement the Perfect Paper Passwords system as a Drupal module, keeping in mind areas that can be abstracted.
- Analyze the need for a general purpose multi-factor API module
- If needed, tweak and change the Perfect Paper Passwords system to work using the multi-factor API
- Write documentation so that other developers looking to implement additional multi-factor authentication systems will be able
to do so easily

Project Timeline
- Write the PPP system as a drupal module 5 weeks.
- Write detailed documentation on the PPP module 1 week.
- Analyze and discuss the need for a general purpose multi-factor API module 1 week.
- If a multi-factor api module is needed, lay the ground-work for it (design and plan) 1 week.
- If a multi-factor api module is needed,Complete the multi-factor API with community feedback 2 weeks.
- If a multi-factor api module is NOT needed, spend those 3 weeks writing very detailed documentation with code examples on how to hook a multi-factor system into drupal.
- Fix Bugs found by myself and the community 2 week.

Deliverables

• PPP module for Drupal
• Documentation for PPP module for Drupal
• If a multi-factor API is needed, it will be written.
• Otherwise extensive documentation will be written to demonstrate how to implement other mulit-factor authentication systems in drupal.

Benefits to Drupal
Drupal prides itself in being a content management system for a wide range of uses; from internal applications serving just a few users to e-commerce sites, blogs, and news sites serving millions of people. Just recently, in the United States, it was federally mandated that all on-line banking systems implement a minimum form of multi-factor authentication. Granted some did it better than others as reflected in my post which was featured on thedailywtf.com (http://thedailywtf.com/Articles/Banking-So-Advanced.aspx). These types of systems are getting national attention and companies like VeriSign are implementing multi-factor authentication solutions to fill this need, it is only a matter of time before more and more businesses will start requiring multi-factor authentication to their internal and external applications. Given the opportunity, I would like to make these multi-factor authentication systems easy to integrate with Drupal.

About Me
I am a 21 year old student at Virginia Polytechnic Institute and State University (Virginia Tech) in Blacksburg, Virginia. I am a senior, Computer Science Major with a minor in Mathematics. I have worked internships and co-ops every summer since I started at Virginia Tech. My freshman and sophomore summers, I spent working as an intern (3 months) and then as a co-op (7 months) for a government contractor that did work for the United States Coast Guard. I wrote a web application, using the .NET framework, that supported a search and rescue system used by the Coast Guard. The work I did is currently being used in search and rescue missions today.
My junior year I worked for DesignNine Inc. and its subsidiary company Webvillages.us. I set up and configured Drupal sites for local businesses and community groups. I first wrote a custom payment system to allow purchasing of items through the e-commerce cart-system with Click and Pledge (an online payment system similar to Paypal). I then wrote a custom module that linked the image ad module to the e-commerce module. It allows image advertisements to be created as products in the e-commerce store. When a user goes to the e-commerce store they see items like “Image Advertisement – 3 months” and “Image Advertisement – 6 months” which they can add to their cart and purchase through the cart system. After the product is purchased, the system creates an image advertisement node which is picked up by the ad module. The user is then able to upload an image for their advertisement and activate it. Once activated, the advertisement will only be shown for the amount of time purchased. Check out www.blacksburgvirginia.us/product for an example of my code in action. I also wrote a custom install profile for a set of Drupal sites the company commonly installs. It leverages automatic creation of content, menu items, and cck types. Unfortunately, at the end of the summer, I was unable to convince my employer to allow me to release the modules I wrote to the Drupal community. I tried to convince my employer of the benefits of giving back to the open source community but they decided that if the module was released another company could easily replicate their business model and put them out of business. Due to this non “open source friendly” experience, I would like the opportunity to work in Google’s Summer of Code where I know I can make valuable contributions to the Drupal community.